ghsa-994x-qfhh-4rm7
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
powerpc/papr_scm: Fix leaking nvdimm_events_map elements
Right now 'char *' elements allocated for individual 'stat_id' in 'papr_scm_priv.nvdimm_events_map[]' during papr_scm_pmu_check_events(), get leaked in papr_scm_remove() and papr_scm_pmu_register(), papr_scm_pmu_check_events() error paths.
Also individual 'stat_id' arent NULL terminated 'char ' instead they are fixed 8-byte sized identifiers. However papr_scm_pmu_register() assumes it to be a NULL terminated 'char ' and at other places it assumes it to be a 'papr_scm_perf_stat.stat_id' sized string which is 8-byes in size.
Fix this by allocating the memory for papr_scm_priv.nvdimm_events_map to also include space for 'stat_id' entries. This is possible since number of available events/stat_ids are known upfront. This saves some memory and one extra level of indirection from 'nvdimm_events_map' to 'stat_id'. Also rest of the code can continue to call 'kfree(papr_scm_priv.nvdimm_events_map)' without needing to iterate over the array and free up individual elements.
{
"affected": [],
"aliases": [
"CVE-2022-49436"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:20Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/papr_scm: Fix leaking nvdimm_events_map elements\n\nRight now \u0027char *\u0027 elements allocated for individual \u0027stat_id\u0027 in\n\u0027papr_scm_priv.nvdimm_events_map[]\u0027 during papr_scm_pmu_check_events(), get\nleaked in papr_scm_remove() and papr_scm_pmu_register(),\npapr_scm_pmu_check_events() error paths.\n\nAlso individual \u0027stat_id\u0027 arent NULL terminated \u0027char *\u0027 instead they are fixed\n8-byte sized identifiers. However papr_scm_pmu_register() assumes it to be a\nNULL terminated \u0027char *\u0027 and at other places it assumes it to be a\n\u0027papr_scm_perf_stat.stat_id\u0027 sized string which is 8-byes in size.\n\nFix this by allocating the memory for papr_scm_priv.nvdimm_events_map to also\ninclude space for \u0027stat_id\u0027 entries. This is possible since number of available\nevents/stat_ids are known upfront. This saves some memory and one extra level of\nindirection from \u0027nvdimm_events_map\u0027 to \u0027stat_id\u0027. Also rest of the code\ncan continue to call \u0027kfree(papr_scm_priv.nvdimm_events_map)\u0027 without needing to\niterate over the array and free up individual elements.",
"id": "GHSA-994x-qfhh-4rm7",
"modified": "2025-10-22T18:30:31Z",
"published": "2025-10-22T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49436"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e0946e22f3665d27325d389ff45ade6e93f3678"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b073096df4dec70d0436321b7093bad27ae91f9e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.